Bitlocker TPM and Active Directory Batch File Script for Windows 7

This DOS batch file script does everything for Bitlocker:

-Updates Group Policy and forces no logoff (we use a separate OU for computers staged to be encrypted)
-Enables the TPM
-Sets the TPM password
-Asks for USB drive letter
-Enables Bitlocker
-Backs up key to USB drive
-Backs up key to Active Directory, creates folder based on Hostname of PC
-Copies .BEK key file from USB drive to the network location of your choice (must edit)

rem bitlocker.bat copyright Galen Wollenberg LagunaBeachComputer.com 2014
@echo.
@echo )\.-. /`-. .') )\.---. )\ )\ ' )\.--.
@echo ,' ,-,_) ,' _ \ ( / ( ,-._( ( \, / ( ._.'
@echo( . __ ( '-' ( )) \ '-, ) \ ( `-.`.
@echo ) '._\ _) ) _ ) )'._.-. ) ,-` ( ( \ \ ,_ ( \
@echo( , ( ( ,' ) \ ( ) ( ``-. `.)/ ) ( '.) ) v1.0
@echo )/'._.' )/ )/ )/,__.' )..-.( '.( '._,_.'
@echo 888888b. d8b 888 888 888
@echo 888 "88b Y8P 888 888 888
@echo 888 .88P 888 888 888
@echo 8888888K. 888 888888 888 .d88b. .d8888b 888 888 .d88b. 888d888
@echo 888 "Y88b 888 888 888 d88""88b d88P" 888 .88P d8P Y8b 888P"
@echo 888 888 888 888 888 888 888 888 888888K 88888888 888
@echo 888 d88P 888 Y88b. 888 Y88..88P Y88b. 888 "88b Y8b. 888
@echo 8888888P" 888 "Y888 888 "Y88P" "Y8888P 888 888 "Y8888 888
@echo .d8888b.
@echo d88P Y88b
@echo Y88b.
@echo "Y888b. 888 888 88888b. .d88b. 888d888
@echo "Y88b. 888 888 888 "88b d8P Y8b 888P"
@echo "888 888 888 888 888 88888888 888
@echo Y88b d88P Y88b 888 888 d88P Y8b. 888
@echo "Y8888P" "Y88888 88888P" "Y8888 888
@echo 888
@echo 888
@echo 888
@echo .d8888b. d8b 888 888 888 888
@echo d88P Y88b Y8P 888 888 888 888
@echo Y88b. 888 888 888 888
@echo "Y888b. .d8888b 888d888 888 88888b. 888888 888 888 888
@echo "Y88b. d88P" 888P" 888 888 "88b 888 888 888 888
@echo "888 888 888 888 888 888 888 Y8P Y8P Y8P
@echo Y88b d88P Y88b. 888 888 888 d88P Y88b. " " "
@echo "Y8888P" "Y8888P 888 888 88888P" "Y888 888 888 888
@echo 888
@echo 888
@echo 888
@echo.
@echo *** Did you Move the USAVxDxxx to Bitlocker Staging in AD?
@echo.
@echo n | gpupdate /force

@echo.
@echo *** Enable TPM
manage-bde -tpm -t
@echo.
@echo *** Set TPM Password
manage-bde -tpm -o P@ssw0rd

@echo off
@echo.
set usbletter=e:
Set /p usbletter= "Enter the letter of the USB drive ([e:]): "
If "%usbletter%"=="e:" goto :sub_gotlettere

@echo.
echo * USB Drive is %usbletter%
echo.
echo *** Deleting existing .BEK files on USB...
echo.
attrib -h -s -r -a %usbletter%:\*.BEK
del %usbletter%:\*.bek
echo.
echo *** Enabling Bitlocker Encrytion on C: ...
@echo.
Manage-BDE.exe -on c: -recoverypassword -recoverykey %usbletter%
@echo.
goto sub_go

:sub_gotlettere
@echo.
set usbletter=e:
echo * USB Drive is %usbletter%
@echo.
echo *** Deleting existing .BEK files on USB...
echo.
attrib -h -s -r -a e:\*.BEK
del e:\*.BEK
echo.
echo *** Enabling Bitlocker Encrytion on C: ...
@echo.
Manage-BDE.exe -on c: -recoverypassword -recoverykey e:
goto sub_go

:sub_go
@echo.
Manage-BDE.exe -protectors -get c:|findstr ID >%Temp%\ID.txt
echo+
echo+
echo+
echo *** Saving Bitlocker Key to Active Directory...
echo.
for /f "tokens=1,2" %%a in (%temp%\ID.txt) do manage-bde -protectors -adbackup c: -id %%b
echo+
@Echo ****** VERIFY THE KEY WAS SAVED TO AD, ignore 1st/3rd ERROR ABOVE ^ *****
@echo.
@Echo ****** LOOK FOR this V , up Above ^ *****
@Echo ****** "Recovery information was successfully backed up to Active Directory." *****
@pause
echo.
echo * This is %computername%
Echo.
echo *** Creating folder at I:\BITLOCKER\Saved_Keys\Enterprise\%computername%
echo.
md \\data\it\BITLOCKER\Saved_Keys\Enterprise\%computername%
attrib -h -s -r -a %usbletter%\*.BEK
@echo.
@echo *** Copying .BEK key file from USBdrive to
@echo *** I:\BITLOCKER\Saved_Keys\Enterprise\%computername%
echo.
copy %usbletter%\*.BEK \\data\it\BITLOCKER\Saved_Keys\Enterprise\%computername%
start \\data\it\BITLOCKER\Saved_Keys\Enterprise\%computername%\
echo.
@echo ****** NOW You Just Need to RENAME the .BEK file
@echo ****** adding the %computername%_xxxxxxxx_xxxx_xxxx_xxxx_xxxxxxx.bek ******
@echo.
@echo 8888888b.
@echo 888 Y88b
@echo 888 888
@echo 888 d88P .d88b. 88888b. 8888b. 88888b.d88b. .d88b.
@echo 8888888P" d8P Y8b 888 "88b "88b 888 "888 "88b d8P Y8b
@echo 888 T88b 88888888 888 888 .d888888 888 888 888 88888888
@echo 888 T88b Y8b. 888 888 888 888 888 888 888 Y8b.
@echo 888 T88b "Y8888 888 888 "Y888888 888 888 888 "Y8888
@echo.
@echo 888888b. 8888888888 888 d8P 8888888888 d8b 888
@echo 888 "88b 888 888 d8P 888 Y8P 888
@echo 888 .88P 888 888 d8P 888 888
@echo 8888888K. 8888888 888d88K 8888888 888 888 .d88b.
@echo 888 "Y88b 888 8888888b 888 888 888 d8P Y8b
@echo 888 888 888 888 Y88b 888 888 888 88888888
@echo d8b 888 d88P 888 888 Y88b 888 888 888 Y8b.
@echo Y8P 8888888P" 8888888888 888 Y88b 888 888 888 "Y8888
@echo.
@echo .d8888b. 8888888b. 888 888
@echo d88P "88b 888 Y88b 888 888
@echo Y88b. d88P 888 888 888 888
@echo "Y8888P" 888 d88P .d88b. 88888b. .d88b. .d88b. 888888
@echo .d88P88K.d88P 8888888P" d8P Y8b 888 "88b d88""88b d88""88b 888
@echo 888" Y888P" 888 T88b 88888888 888 888 888 888 888 888 888
@echo Y88b .d8888b 888 T88b Y8b. 888 d88P Y88..88P Y88..88P Y88b.
@echo "Y8888P" Y88b 888 T88b "Y8888 88888P" "Y88P" "Y88P" "Y888
@echo.
@pause
rem ren \\data\it\BITLOCKER\Saved_Keys\Enterprise\%computername%\*.bek rem \\data\it\BITLOCKER\Saved_Keys\Enterprise\%computername%\